The national hackers who orchestrated the attack on SolarWinds’ supply chain compromised a Microsoft employee’s computer and used its access to carry out targeted attacks on corporate customers, Microsoft said in a succinct statement released late Friday afternoon.
The hacking group has also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses. With the exception of the three undisclosed entities, Microsoft said, the password-spraying campaign was “usually unsuccessful.” Microsoft has since notified all targets whether the attacks were successful or not.
The discoveries came in Microsoft’s ongoing investigation into Nobelium, Microsoft’s name for the sophisticated hacking group that used SolarWinds software updates and other resources to compromise networks of nine US agencies and 100 private companies. The federal government has said that Nobelium is part of the Federal Security Service of the Russian government.
“As part of our investigation into this ongoing activity, we also discovered information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers,” Microsoft said in a statement. “The actor used this information in some cases to launch highly targeted attacks as part of their wider campaign.”
According to Reuters, Microsoft released the disclosure of the breach after one of the news outlet’s reporters asked the company about the notification it sent to targeted or hacked customers. Microsoft did not disclose the employee’s computer infection until the fourth paragraph of the five-paragraph message.
The infected agent, Reuters said, had access to contact details for billing and the services customers paid for, among other things. “Microsoft warned affected customers to be careful about communicating with their billing contacts and to consider changing those usernames and email addresses and ban old usernames from logging in,” the news service reported.
The supply chain attack on SolarWinds came to light in December. After hacking into the Austin, Texas-based company and taking over the software build system, Nobelium pushed malicious updates to approximately 18,000 SolarWinds customers.
“The latest cyberattack reported by Microsoft does not in any way affect our company or our customers,” a SolarWinds representative said in an email.
A wide range of goals
The attack on SolarWinds’ supply chain wasn’t the only way Nobelium jeopardized its targets. Anti-malware provider Malwarebytes has said it was also infected by Nobelium, but via a different vector, which the company has not identified.
Both Microsoft and email management provider Mimecast have also said they were also hacked by Nobelium, which then used the compromises to hack into the companies’ customers or partners.
Microsoft said the password-spray activity was targeted at specific customers, with 57 percent of them IT companies, 20 percent government organizations and the rest non-governmental organizations, think tanks and financial services. About 45 percent of the activity was focused on US interests, 10 percent was aimed at UK customers and smaller numbers were in Germany and Canada. In total, customers in 36 countries were targeted.
Reuters, citing a Microsoft spokesperson, said the breach disclosed Friday was not part of Nobelium’s previous successful attack on Microsoft. The company has not yet provided any key details, including how long the agent’s computer was hacked and whether the compromise involved a Microsoft-managed machine on a Microsoft network or a contract device on a home network.
Friday’s revelation came as a shock to many security analysts.
“I mean, Jesus, if Microsoft can’t keep their own kit free of viruses, how is the rest of the business supposed to do it?” Kenn White, independent security researcher, told me. “You would think that customer-facing systems would be one of the most hardened systems.”